All that encrypts hard drives may not be crypto.

Feb 22, 2008

Earlier this week the information security community collectively slapped its forehead as computer magazine C't published the results of its security analysis of the the Easy Nova Data Box PRO-25UE RFID, an external hard drive that was advertised as transparently encrypting stored data at the drive level using the AES cryptosystem and a 128-bit key (an algorithm and keysize which the NSA has blessed as worthy of encrypting information carrying a security classification of SECRET or lower, incidentally). A key fob containing an RFID chip is used to unlock the drive and provide access to the encrypted data. Because all of the crypto is implemented in hardware, it is possible to plug the drive into just about any computer on the planet without having to install any specialized drivers.

How can I put this succinctly? They were lying through their teeth.

C't Magazine popped the hard drive (a regular hard drive that you can buy on the open market) out of the external housing, hooked it up to a regular IDE-to-USB interface cable, and started poking around at the hardware level with some basic analysis tools. First of all, the drive was filled with zeroes before it was formatted, which is actually good security practice under certain circumstances, but it also makes it possible to determine just how much encrypted data is on the drive by looking for where the noise ends and the zeroes begin. More encrypted data means that you have more data to analyze (and thus, use against the cryptosystem). Secondly, it is an axiom of crypto that encrypted data should look as much like noise as possible, not only to make it difficult to locate encrypted data among background noise (though this is more of a helpful side effect than a deliberate feature) but to eliminate patterns in the stored data (because patterns found in encrypted data can be used to draw conclusions about the algorithm and the key used, information that can potentially be leveraged to decrypt the data). Analyzing the amount of randomness in the data on the test drive showed that there was actually very little randomness - in fact, a repeating pattern emerged immediately. The conclusion drawn from this finding is that AES was not, in fact, used to encrypt the drive, but instead a logical exclusive OR, which is trivial to break (scroll down to section 8.2, "How do I break a Vigenere (repeated-key) cipher?") as implemented.

Because the file system on the drive that has been encrypted was FAT-32, the data structures on disk are known and well documented, so the researchers were essentially able to look at the disk and say "Wow, that looks something like a BIOS parameter block/file allocation table/data region header. I know what that looks like when it isn't encrypted, so I can XOR the encrypted version with what I know the unencrypted version looks like and get the encryption key they used." Due to a quirk in FAT-32, disk sector 67 will almost always consist of all zeroes - known plaintext, shake shake shake, and they had the key. As it turns out, they used the same key for every block on the drive, so when they decrypted a single 512-byte block on the drive they were able to decrypt the rest of the drive in one fell swoop.

When confronted about this, Easy Nova backpedaled fast enough to break the sound barrier - as it turns out, they only use AES to encrypt the unique identification code of the RFID chip in hardware memory and not the data on the drive. Also, as it turns out, there are another half-dozen or so models that use the same 'encryption' hardware as Easy Nova's, and are probably also used in this manner (i.e., incorrectly).